[systemd-devel] access /proc of nspwan container

Lennart Poettering lennart at poettering.net
Wed Sep 20 11:30:44 UTC 2017


On Mi, 20.09.17 13:13, arnaud gaboury (arnaud.gaboury at gmail.com) wrote:

> For some reasons (custom kernel with user namespace activated) my
> container filesystem owners and permissions has lots of errors. In
> short, some files/folders belong to nobody/nobody when in fact they
> should be owned by root:root.

This is the result of user namespacing, and reflects the fact that
these files in /proc are owned by the host's root, which is not
available in the container, and ensure that the container doesn't get
access to files in /proc that are unsafe to access from untrusted
containers. if you invoke nspawn without --private-users= on the
command line you can turn this off, but in that case the user tables
between the host and the container are shared and thus things are a
lot less secure.

> But i have a problem when it comes to upgrade (container is Fedora, host
> Arch) some packages, filesystem being one of them. To upgrade, the
> system needs access to /proc/filesystems which is unfortunately owned by
> nobody:nobody and can't be changed from host.  And the proc folder is
> empty for the host, so I can't chwon from host.

Hmm, read access should genreally be available to
/proc/filesystems. Are you saying that the container can't even read
that file?

> How can I access (if I can) container /proc from host?
> 
> In general, to solve this annoying owner issue in container
> (nobody:nobody), I was thinking making root part of the nobody group. I
> know this is a hack, but is there any troubles down the road in doing this?

Let's just say that the user namespacing logic on Linux isn't really
ready for the prime-time yet... (neither in the Linux kernel and in nspawn).

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list